diff --git a/freeipa.spec.in b/freeipa.spec.in index 89efd73a4..11ec4876c 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -653,7 +653,12 @@ Requires: python3-sssdconfig >= %{sssd_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: krb5-workstation >= %{krb5_version} -Requires: authselect >= 0.4-2 +# authselect: sssd profile with-subid +%if 0%{?fedora} >= 36 +Requires: authselect >= 1.4.0 +%else +Requires: authselect >= 1.2.5 +%endif Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service # All Fedora 28+ and RHEL8+ contain the service in hostname package diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 36e0eae66..ba467c9f6 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -3157,7 +3157,8 @@ def _install(options): sssd=options.sssd, mkhomedir=options.mkhomedir, statestore=statestore, - sudo=options.conf_sudo + sudo=options.conf_sudo, + subid=options.subid ) # if mkhomedir, make sure oddjobd is enabled and started if options.mkhomedir: @@ -3814,6 +3815,12 @@ class ClientInstallInterface(hostname_.HostNameInstallInterface, ) no_sudo = enroll_only(no_sudo) + subid = knob( + None, + description="configure SSSD as data source for subid", + ) + subid = enroll_only(subid) + no_dns_sshfp = knob( None, description="do not automatically create DNS SSHFP records", diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index f9a4112df..b6cd68dc8 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -200,7 +200,7 @@ class BaseTaskNamespace: raise NotImplementedError() def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore, - sudo=True): + sudo=True, subid=False): """ If sssd flag is true, configure pam and nsswitch so that SSSD is used for retrieving user information and authentication. diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py index 2afe17a4f..a7b5cdf38 100644 --- a/ipaplatform/debian/tasks.py +++ b/ipaplatform/debian/tasks.py @@ -42,7 +42,8 @@ class DebianTaskNamespace(RedHatTaskNamespace): return True @staticmethod - def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore, sudo=True): + def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore, sudo=True, + subid=False): if mkhomedir: try: ipautil.run(["pam-auth-update", diff --git a/ipaplatform/fedora_container/tasks.py b/ipaplatform/fedora_container/tasks.py index a2b4da3ba..bc748c241 100644 --- a/ipaplatform/fedora_container/tasks.py +++ b/ipaplatform/fedora_container/tasks.py @@ -13,7 +13,7 @@ logger = logging.getLogger(__name__) class FedoraContainerTaskNamespace(FedoraTaskNamespace): def modify_nsswitch_pam_stack( - self, sssd, mkhomedir, statestore, sudo=True + self, sssd, mkhomedir, statestore, sudo=True, subid=False ): # freeipa-container images are preconfigured # authselect select sssd with-sudo --force diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py index b51baf585..9f5ae1979 100644 --- a/ipaplatform/redhat/authconfig.py +++ b/ipaplatform/redhat/authconfig.py @@ -101,7 +101,8 @@ class RedHatAuthSelect(RedHatAuthToolBase): features = output_items[1:] return profile, features - def configure(self, sssd, mkhomedir, statestore, sudo=True): + def configure(self, sssd, mkhomedir, statestore, sudo=True, + subid=False): # In the statestore, the following keys are used for the # 'authselect' module: # Old method: @@ -121,6 +122,8 @@ class RedHatAuthSelect(RedHatAuthToolBase): statestore.backup_state('authselect', 'mkhomedir', True) if sudo: cmd.append("with-sudo") + if subid: + cmd.append("with-subid") cmd.append("--force") cmd.append("--backup={}".format(backup_name)) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index d056a4829..4fb620807 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -245,9 +245,9 @@ class RedHatTaskNamespace(BaseTaskNamespace): f.writelines(content) def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore, - sudo=True): + sudo=True, subid=False): auth_config = get_auth_tool() - auth_config.configure(sssd, mkhomedir, statestore, sudo) + auth_config.configure(sssd, mkhomedir, statestore, sudo, subid) def is_nosssd_supported(self): # The flag --no-sssd is not supported any more for rhel-based distros diff --git a/ipaplatform/rhel_container/tasks.py b/ipaplatform/rhel_container/tasks.py index 5673fc65c..5e81c3121 100644 --- a/ipaplatform/rhel_container/tasks.py +++ b/ipaplatform/rhel_container/tasks.py @@ -13,7 +13,7 @@ logger = logging.getLogger(__name__) class RHELContainerTaskNamespace(RHELTaskNamespace): def modify_nsswitch_pam_stack( - self, sssd, mkhomedir, statestore, sudo=True + self, sssd, mkhomedir, statestore, sudo=True, subid=False ): # freeipa-container images are preconfigured # authselect select sssd with-sudo --force diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index cae85f620..91e6c6a33 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -994,6 +994,8 @@ def install(installer): args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") + if options.subid: + args.append("--subid") start = time.time() run(args, redirect_output=True) dur = time.time() - start diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 68cd18eef..d5ab3b512 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -720,6 +720,8 @@ def ensure_enrolled(installer): args.append("--no-sshd") if installer.mkhomedir: args.append("--mkhomedir") + if installer.subid: + args.append("--subid") if installer.force_join: args.append("--force-join") if installer.no_ntp: